Changes openssl

8/13/2019 Changes openssl

1/162

OpenSSL CHANGES _______________

Changes between 1.0.0j and 1.0.0k [5 Feb 2013]

*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

This addresses the flaw in CBC record processing discovered byNadhem Alfardan and Kenny Paterson. Details of this attack can be found

at: http://www.isg.rhul.ac.uk/tls/

Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and Emilia Ksper for the initial patch. (CVE-2013-0169) [Emilia Ksper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

*) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson]

*) Call OCSP Stapling callback after ciphersuite has been chosen, so

the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836. (This is a backport) [Rob Stradling ]

*) Fix possible deadlock when decoding public keys. [Steve Henson]

Changes between 1.0.0i and 1.0.0j [10 May 2012]

*) Sanity check record length before skipping explicit IV in DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333) [Steve Henson]

*) Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue. [Steve Henson]

Changes between 1.0.0h and 1.0.0i [19 Apr 2012]

*) Check for potentially exploitable overflows in asn1_d2i_read_bio

BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley for fixing it. (CVE-2012-2110) [Adam Langley (Google), Tavis Ormandy, Google Security Team]

Changes between 1.0.0g and 1.0.0h [12 Mar 2012]


2/162

*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness in CMS and PKCS7 code. When RSA decryption fails use a random key for content decryption and always return the same error. Note: this attack needs on average 2^20 messages so it only affects automated senders. The old behaviour can be reenabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where an MMA defence is not necessary. Thanks to Ivan Nestlerode for discovering this issue. (CVE-2012-0884) [Steve Henson]

*) Fix CVE-2011-4619: make sure we really are receiving aclient hello before rejecting multiple SGC restarts. Thanks to

Ivan Nestlerode for discovering this bug. [Steve Henson]

Changes between 1.0.0f and 1.0.0g [18 Jan 2012]

*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) [Antonio Martin]

Changes between 1.0.0e and 1.0.0f [4 Jan 2012] *) Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann and Michael Tuexen

for preparing the fix. (CVE-2011-4108) [Robin Seggelmann, Michael Tuexen]

*) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)]

*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George Kadianakis for discovering this issue and Adam Langley for preparing the fix. (CVE-2011-4619) [Adam Langley (Google)]

*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)

[Andrey Kulikov ]

*) Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein for fixing it. (CVE-2011-4577) [Rob Austein ]

*) Improved PRNG seeding for VOS. [Paul Green ]


3/162

*) Fix ssl_ciph.c set-up race. [Adam Langley (Google)]

*) Fix spurious failures in ecdsatest.c. [Emilia Ksper (Google)]

*) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). [Adam Langley (Google)]

*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients.

This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). [Emilia Ksper (Google)]

*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)]

Changes between 1.0.0d and 1.0.0e [6 Sep 2011]

*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted by initialising X509_STORE_CTX properly. (CVE-2011-3207) [Kaspar Brand ]

*) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. (CVE-2011-3210) [Adam Langley (Google)]

*) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller]

*) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check

signature public key algorithm by using OID xref utilities instead. Before this you could only use some ECC ciphersuites with SHA1 only. [Steve Henson]

*) Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see:

http://eprint.iacr.org/2011/232.pdf

[Billy Bob Brumley and Nicola Tuveri]

Changes between 1.0.0c and 1.0.0d [8 Feb 2011]

*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 [Neel Mehta, Adam Langley, Bodo Moeller (Google)]

*) Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous. [Steve Henson]

Changes between 1.0.0b and 1.0.0c [2 Dec 2010]


4/162

*) Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. CVE-2010-4180 [Steve Henson]

*) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]

Changes between 1.0.0a and 1.0.0b [16 Nov 2010]

*) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. CVE-2010-3864 [Steve Henson]

*) Fix WIN32 build system to correctly link an ENGINE directory into a DLL.

[Steve Henson]

Changes between 1.0.0 and 1.0.0a [01 Jun 2010]

*) Check return value of int_rsa_verify in pkey_rsa_verifyrecover

(CVE-2010-1633) [Steve Henson, Peter-Michael Hager ]

Changes between 0.9.8n and 1.0.0 [29 Mar 2010]

*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher context. The operation can be customised via the ctrl mechanism in case ENGINEs want to include additional functionality. [Steve Henson]

*) Tolerate yet another broken PKCS#8 key format: private key value negative. [Steve Henson]

*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to output hashes compatible with older versions of OpenSSL. [Willy Weisz ]

*) Fix compression algorithm handling: if resuming a session use the compression algorithm of the resumed session instead of determining it from client hello again. Don't allow server to change algorithm. [Steve Henson]

*) Add load_crls() function to apps tidying load_certs() too. Add option to verify utility to allow additional CRLs to be included. [Steve Henson]

*) Update OCSP request code to permit adding custom headers to the request: some responders need this. [Steve Henson]

*) The function EVP_PKEY_sign() returns


5/162

didn't handle all updated verify codes correctly. [Steve Henson]

*) Disable MD2 in the default configuration. [Steve Henson]

*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to indicate the initial BIO being pushed or popped. This makes it possible to determine whether the BIO is the one explicitly called or as a result of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so it handles reference counts correctly and doesn't zero out the I/O bio when it is not being explicitly popped. WARNING: applications which included workarounds for the old buggy behaviour will need to be modified or they could free up already freed BIOs. [Steve Henson]

*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni renaming to all platforms (within the 0.9.8 branch, this was done conditionally on Netware platforms to avoid a name clash). [Guenter ]

*) Add ECDHE and PSK support to DTLS. [Michael Tuexen ]

*) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't be used on C++. [Steve Henson]

*) Add "missing" function EVP_MD_flags() (without this the only way to retrieve a digest flags is by accessing the structure directly. Update EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest or cipher is registered as in the "from" argument. Print out all registered digests in the dgst usage message instead of manually

attempting to work them out. [Steve Henson]

*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:

this allows the use of compression and extensions. Change default cipher string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 by default unless an application cipher string requests it. [Steve Henson]

*) Alter match criteria in PKCS12_parse(). It used to try to use local key ids to find matching certificates and keys but some PKCS#12 files don't follow the (somewhat unwritten) rules and this strategy fails. Now just gather all certificates together and the first private key then look for the first certificate that matches the key. [Steve Henson]

*) Support use of registered digest and cipher names for dgst and cipher

commands instead of having to add each one as a special case. So now you can do:

openssl sha256 foo

as well as:

openssl dgst -sha256 foo

and this works for ENGINE based algorithms too.


6/162

[Steve Henson]

*) Update Gost ENGINE to support parameter files. [Victor B. Wagner ]

*) Support GeneralizedTime in ca utility.[Oliver Martin , Steve Henson]

*) Enhance the hash format used for certificate directory links. The new form uses the canonical encoding (meaning equivalent names will work even if they aren't identical) and uses SHA1 instead of MD5. This form is incompatible with the older format and as a result c_rehash should be used to rebuild symbolic links. [Steve Henson]

*) Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]

*) Add a $gcc_devteam_warn option to Configure. The idea is that any code committed to OpenSSL should pass this lot as a minimum. [Steve Henson]

*) Add session ticket override functionality for use by EAP-FAST. [Jouni Malinen ]

*) Modify HMAC functions to return a value. Since these can be implemented in an ENGINE errors can occur. [Steve Henson]

*) Type-checked OBJ_bsearch_ex. [Ben Laurie]

*) Type-checked OBJ_bsearch. Also some constification necessitated by type-checking. Still to come: TXT_DB, bsearch(?),

OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, CONF_VALUE. [Ben Laurie]

*) New function OPENSSL_gmtime_adj() to add a specific number of days and seconds to a tm structure directly, instead of going through OS specific date routines. This avoids any issues with OS routines such as the year 2038 bug. New *_adj() functions for ASN1 time structures and X509_time_adj_ex() to cover the extended range. The existing X509_time_adj() is still usable and will no longer have any date issues. [Steve Henson]

*) Delta CRL support. New use deltas option which will attempt to locate

and search any appropriate delta CRLs available.

This work was sponsored by Google. [Steve Henson]

*) Support for CRLs partitioned by reason code. Reorganise CRL processing code and add additional score elements. Validate alternate CRL paths as part of the CRL checking and indicate a new error "CRL path validation error" in this case. Applications wanting additional details can use the verify callback and check the new "parent" field. If this is not


7/162

NULL CRL path validation is taking place. Existing applications wont see this because it requires extended CRL support which is off by default.


*) Support for freshest CRL extension.


*) Initial indirect CRL support. Currently only supported in the CRLs passed directly and not via lookup. Process certificate issuer CRL entry extension and lookup CRL entries by bother issuer name and serial number. Check and process CRL issuer entry in IDP extension.


*) Add support for distinct certificate and CRL paths. The CRL issuer certificate is validated separately in this case. Only enabled if an extended CRL support flag is set: this flag will enable additional CRL functionality in future.


*) Add support for policy mappings extension.


*) Fixes to pathlength constraint, self issued certificate handling, policy processing to align with RFC3280 and PKITS tests.

This work was sponsored by Google.

[Steve Henson] *) Support for name constraints certificate extension. DN, email, DNS and URI types are currently supported.


*) To cater for systems that provide a pointer-based thread ID rather than numeric, deprecate the current numeric thread ID mechanism and replace it with a structure and associated callback type. This mechanism allows a numeric "hash" to be extracted from a thread ID in either case, and on platforms where pointers are larger than 'long',

mixing is done to help ensure the numeric 'hash' is usable even if it can't be guaranteed unique. The default mechanism is to use "&errno" as a pointer-based thread ID to distinguish between threads.

Applications that want to provide their own thread IDs should now use CRYPTO_THREADID_set_callback() to register a callback that will call either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().

Note that ERR_remove_state() is now deprecated, because it is tied to the assumption that thread IDs are numeric. ERR_remove_state(0)


8/162

to free the current thread's error state should be replaced by ERR_remove_thread_state(NULL).

(This new approach replaces the functions CRYPTO_set_idptr_callback(), CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an application was previously providing a numeric thread callback that was inappropriate for distinguishing threads, then uniqueness might have been obtained with &errno that happened immediately in the intermediate development versions of OpenSSL; this is no longer the case, the numeric thread callback will now override the automatic use of &errno.) [Geoff Thorpe, with help from Bodo Moeller]

*) Initial support for different CRL issuing certificates. This covers a simple case where the self issued certificates in the chain exist and the real CRL issuer is higher in the existing chain.


*) Removed effectively defunct crypto/store from the build. [Ben Laurie]

*) Revamp of STACK to provide stronger type-checking. Still to come: TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, CONF_VALUE. [Ben Laurie]

*) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer RAM on SSL connections. This option can save about 34k per idle SSL. [Nick Mathewson]

*) Revamp of LHASH to provide stronger type-checking. Still to come: STACK, TXT_DB, bsearch, qsort. [Ben Laurie]

*) Initial support for Cryptographic Message Syntax (aka CMS) based on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, support for data, signedData, compressedData, digestedData and encryptedData, envelopedData types included. Scripts to check against RFC4134 examples draft and interop and consistency checks of many content types and variants. [Steve Henson]

*) Add options to enc utility to support use of zlib compression BIO. [Steve Henson]

*) Extend mk1mf to support importing of options and assembly language files from Configure script, currently only included in VC-WIN32.

The assembly language rules can now optionally generate the source files from the associated perl scripts. [Steve Henson]

*) Implement remaining functionality needed to support GOST ciphersuites. Interop testing has been performed using CryptoPro implementations. [Victor B. Wagner ]

*) s390x assembler pack. [Andy Polyakov]


9/162

*) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU "family." [Andy Polyakov]

*) Implement Opaque PRF Input TLS extension as specified in draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an official specification yet and no extension type assignment by IANA exists, this extension (for now) will have to be explicitly enabled when building OpenSSL by providing the extension number to use. For example, specify an option

-DTLSEXT_TYPE_opaque_prf_input=0x9527

to the "config" or "Configure" script to enable the extension, assuming extension number 0x9527 (which is a completely arbitrary and unofficial assignment based on the MD5 hash of the Internet Draft). Note that by doing so, you potentially lose interoperability with other TLS implementations since these might be using the same extension number for other purposes.

SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the opaque PRF input value to use in the handshake. This will create an interal copy of the length-'len' string at 'src', and will

return non-zero for success. To get more control and flexibility, provide a callback function by using

SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)

where

int (*cb)(SSL *, void *peerinput, size_t len, void *arg); void *arg;

Callback function 'cb' will be called in handshakes, and is expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. Argument 'arg' is for application purposes (the value as given to SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly be provided to the callback function). The callback function has to return non-zero to report success: usually 1 to use opaque PRF input just if possible, or 2 to enforce use of the opaque PRF input. In the latter case, the library will abort the handshake if opaque PRF input is not successfully negotiated.

Arguments 'peerinput' and 'len' given to the callback function will always be NULL and 0 in the case of a client. A server will see the client's opaque PRF input through these variables if

available (NULL and 0 otherwise). Note that if the server provides an opaque PRF input, the length must be the same as the length of the client's opaque PRF input.

Note that the callback function will only be called when creating a new session (session resumption can resume whatever was previously negotiated), and will not be called in SSL 2.0 handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended for applications that need to enforce opaque PRF input.


10/162

[Bodo Moeller]

*) Update ssl code to support digests other than SHA1+MD5 for handshake MAC.

[Victor B. Wagner ]

*) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported.

If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION.

The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification.

If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set.

Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined.


*) Final changes to avoid use of pointer pointer casts in OpenSSL. OpenSSL should now compile cleanly on gcc 4.2 [Peter Hartley , Steve Henson]

*) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC support including streaming MAC support: this is required for GOST ciphersuite support.

[Victor B. Wagner , Steve Henson] *) Add option -stream to use PKCS#7 streaming in smime utility. New function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() to output in BER and PEM format. [Steve Henson]

*) Experimental support for use of HMAC via EVP_PKEY interface. This allows HMAC to be handled via the EVP_DigestSign*() interface. The EVP_PKEY "key" in this case is the HMAC key, potentially allowing ENGINE support for HMAC keys which are unextractable. New -mac and -macopt options to dgst utility. [Steve Henson]

*) New option -sigopt to dgst utility. Update dgst to use EVP_Digest{Sign,Verify}*. These two changes make it possible to use alternative signing paramaters such as X9.31 or PSS in the dgst

utility. [Steve Henson]

*) Change ssl_cipher_apply_rule(), the internal function that does the work each time a ciphersuite string requests enabling ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or


11/162

removing ("!foo+bar") a class of ciphersuites: Now it maintains the order of disabled ciphersuites such that those ciphersuites that most recently went from enabled to disabled not only stay in order with respect to each other, but also have higher priority than other disabled ciphersuites the next time ciphersuites are enabled again.

This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable the same ciphersuites as with "HIGH" alone, but in a specific order where the PSK ciphersuites come first (since they are the most recently disabled ciphersuites when "HIGH" is parsed).

Also, change ssl_create_cipher_list() (using this new funcionality) such that between otherwise identical cihpersuites, ephemeral ECDH is preferred over ephemeral DH in the default order. [Bodo Moeller]

*) Change ssl_create_cipher_list() so that it automatically arranges the ciphersuites in reasonable order before starting to process the rule string. Thus, the definition for "DEFAULT" (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". This makes it much easier to arrive at a reasonable default order

in applications for which anonymous ciphers are OK (meaning that you can't actually use DEFAULT). [Bodo Moeller; suggested by Victor Duchovni]

*) Split the SSL/TLS algorithm mask (as used for ciphersuite string processing) into multiple integers instead of setting "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. (These masks as well as the individual bit definitions are hidden away into the non-exported interface ssl/ssl_locl.h, so this change to the definition of the SSL_CIPHER structure shouldn't affect applications.) This give us more bits for each of these categories, so there is no longer a need to coagulate AES128 and

AES256 into a single algorithm bit, and to coagulate Camellia128 and Camellia256 into a single algorithm bit, which has led to all kinds of kludges.

Thus, among other things, the kludge introduced in 0.9.7m and 0.9.8e for masking out AES256 independently of AES128 or masking out Camellia256 independently of AES256 is not needed here in 0.9.9.

With the change, we also introduce new ciphersuite aliases that so far were missing: "AES128", "AES256", "CAMELLIA128", and "CAMELLIA256". [Bodo Moeller]

*) Add support for dsa-with-SHA224 and dsa-with-SHA256. Use the leftmost N bytes of the signature input if the input is larger than the prime q (with N being the size in bytes of q). [Nils Larsch]

*) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses it yet and it is largely untested. [Steve Henson]

*) Add support for the ecdsa-with-SHA224/256/384/512 signature types.


12/162

[Nils Larsch]

*) Initial incomplete changes to avoid need for function casts in OpenSSL some compilers (gcc 4.2 and later) reject their use. Safestack is reimplemented. Update ASN1 to avoid use of legacy functions.

[Steve Henson]

*) Win32/64 targets are linked with Winsock2. [Andy Polyakov]

*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected to external functions. This can be used to increase CRL handling

efficiency especially when CRLs are very large by (for example) storing the CRL revoked certificates in a database. [Steve Henson]

*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so new CRLs added to a directory can be used. New command line option -verify_return_error to s_client and s_server. This causes real errors to be returned by the verify callback instead of carrying on no matter what. This reflects the way a "real world" verify callback would behave. [Steve Henson]

*) GOST engine, supporting several GOST algorithms and public key formats.

Kindly donated by Cryptocom. [Cryptocom]

*) Partial support for Issuing Distribution Point CRL extension. CRLs partitioned by DP are handled but no indirect CRL or reason partitioning (yet). Complete overhaul of CRL handling: now the most suitable CRL is selected via a scoring technique which handles IDP and AKID in CRLs. [Steve Henson]

*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which will ultimately be used for all verify operations: this will remove the X509_STORE dependency on certificate verification and allow alternative lookup methods. X509_STORE based implementations of these two callbacks.

[Steve Henson] *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. [Steve Henson]

*) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL

extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson]

*) Store a "canonical" representation of X509_NAME structure (ASN1 Name)

this maps equivalent X509_NAME structures into a consistent structure. Name comparison can then be performed rapidly using memcmp(). [Steve Henson]

*) Non-blocking OCSP request processing. Add -timeout option to ocsputility.

[Steve Henson]

*) Allow digests to supply their own micalg string for S/MIME type using the ctrl EVP_MD_CTRL_MICALG.


13/162

[Steve Henson]

*) During PKCS7 signing pass the PKCS7 SignerInfo structure to the EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure before and/or after signing if necessary. [Steve Henson]

*) New function OBJ_add_sigid() to allow application defined signature OIDs to be added to OpenSSLs internal tables. New function OBJ_sigid_free() to free up any added signature OIDs. [Steve Henson]

*) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal digest and cipher tables. New options added to openssl utility: list-message-digest-algorithms and list-cipher-algorithms. [Steve Henson]

*) Change the array representation of binary polynomials: the list of degrees of non-zero coefficients is now terminated with -1. Previously it was terminated with 0, which was also part of the value; thus, the array representation was not applicable to polynomials where t^0 has coefficient zero. This change makes

the array representation useful in a more general context. [Douglas Stebila]

*) Various modifications and fixes to SSL/TLS cipher string handling. For ECC, the code now distinguishes between fixed ECDH with RSA certificates on the one hand and with ECDSA certificates on the other hand, since these are separate ciphersuites. The unused code for Fortezza ciphersuites has been removed.

For consistency with EDH, ephemeral ECDH is now called "EECDH" (not "ECDHE"). For consistency with the code for DH certificates, use of ECDH certificates is now considered ECDH authentication, not RSA or ECDSA authentication (the latter is

merely the CA's signing algorithm and not actively used in the protocol).

The temporary ciphersuite alias "ECCdraft" is no longer available, and ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT". The following aliases now exist for RFC 4492 ciphersuites, most of these by analogy with the DH case:

kECDHr - ECDH cert, signed with RSA kECDHe - ECDH cert, signed with ECDSA kECDH - ECDH cert (signed with either RSA or ECDSA) kEECDH - ephemeral ECDH ECDH - ECDH cert or ephemeral ECDH

aECDH - ECDH cert aECDSA - ECDSA cert ECDSA - ECDSA cert

AECDH - anonymous ECDH EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")

[Bodo Moeller]


14/162

*) Add additional S/MIME capabilities for AES and GOST ciphers if supported. Use correct micalg parameters depending on digest(s) in signed message. [Steve Henson]

*) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. [Steve Henson]

*) Initial engine support for EVP_PKEY_METHOD. New functions to permit an engine to register a method. Add ENGINE lookups for methods and functional reference processing. [Steve Henson]

*) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of EVP_{Sign,Verify}* which allow an application to customise the signature process. [Steve Henson]

*) New -resign option to smime utility. This adds one or more signers to an existing PKCS#7 signedData structure. Also -md option to use an alternative message digest algorithm for signing. [Steve Henson]

*) Tidy up PKCS#7 routines and add new functions to make it easier to

create PKCS7 structures containing multiple signers. Update smime application to support multiple signers. [Steve Henson]

*) New -macalg option to pkcs12 utility to allow setting of an alternative digest MAC. [Steve Henson]

*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. Reorganize PBE internals to lookup from a static table using NIDs, add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative PRF which will be automatically used with PBES2.

[Steve Henson] *) Replace the algorithm specific calls to generate keys in "req" with the new API. [Steve Henson]

*) Update PKCS#7 enveloped data routines to use new API. This is now supported by any public key method supporting the encrypt operation. A ctrl is added to allow the public key algorithm to examine or modify the PKCS#7 RecipientInfo structure if it needs to: for RSA this is a no op. [Steve Henson]

*) Add a ctrl to asn1 method to allow a public key algorithm to express a default digest type to use. In most cases this will be SHA1 but some algorithms (such as GOST) need to specify an alternative digest. The return value indicates how strong the prefernce is 1 means optional and 2 is mandatory (that is it is the only supported type). Modify ASN1_item_sign() to accept a NULL digest argument to indicate it should use the default md. Update openssl utilities to use the default digest type for signing if it is not explicitly indicated. [Steve Henson]


15/162

*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). NewEVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant

signing method from the key type. This effectively removes the link between digests and public key types. [Steve Henson]

*) Add an OID cross reference table and utility functions. Its purpose is to translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, rsaEncryption. This will allow some of the algorithm specific hackery needed to use the correct OID to be removed.

[Steve Henson]

*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO structures for PKCS7_sign(). They are now set up by the relevant public key ASN1 method. [Steve Henson]

*) Add provisional EC pkey method with support for ECDSA and ECDH. [Steve Henson]

*) Add support for key derivation (agreement) in the API, DH method and pkeyutl. [Steve Henson]

*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support public and private key formats. As a side effect these add additionalcommand line functionality not previously available: DSA signatures can be

generated and verified using pkeyutl and DH key support and generation in pkey, genpkey. [Steve Henson]

*) BeOS support. [Oliver Tappe ]

*) New make target "install_html_docs" installs HTML renditions of the manual pages. [Oliver Tappe ]

*) New utility "genpkey" this is analagous to "genrsa" etc except it can generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to support key and parameter generation and add initial key generation functionality for RSA. [Steve Henson]

*) Add functions for main EVP_PKEY_method operations. The undocumented functions EVP_PKEY_{encrypt,decrypt} have been renamed to EVP_PKEY_{encrypt,decrypt}_old.

[Steve Henson]

*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public

key API, doesn't do much yet. [Steve Henson]

*) New function EVP_PKEY_asn1_get0_info() to retrieve information about public key algorithms. New option to openssl utility: "list-public-key-algorithms" to print out info. [Steve Henson]

*) Implement the Supported Elliptic Curves Extension for ECC ciphersuites from draft-ietf-tls-ecc-12.txt.


16/162


17/162

SSL_get_servername_type() SSL_set_SSL_CTX()

New CTRL codes and macros (subject to change):

SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - SSL_CTX_set_tlsext_servername_callback() SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()

openssl s_client has a new '-servername ...' option.

openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option.

[Peter Sylvester, Remy Allais, Christophe Renou]

*) Whirlpool hash implementation is added.

[Andy Polyakov] *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to bn(64,32). Because of instruction set limitations it doesn't have any negative impact on performance. This was done mostly in order to make it possible to share assembler modules, such as bn_mul_mont implementations, between 32- and 64-bit builds without hassle. [Andy Polyakov]

*) Move code previously exiled into file crypto/ec/ec2_smpt.c to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP macro. [Bodo Moeller]

*) New candidate for BIGNUM assembler implementation, bn_mul_mont, dedicated Montgomery multiplication procedure, is introduced. BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher "64-bit" performance on certain 32-bit targets. [Andy Polyakov]

*) New option SSL_OP_NO_COMP to disable use of compression selectively in SSL structures. New SSL ctrl to set maximum send fragment size.

Save memory by seeting the I/O buffer sizes dynamically instead of using the maximum available value. [Steve Henson]

*) New option -V for 'openssl ciphers'. This prints the ciphersuite code in addition to the text details. [Bodo Moeller]

*) Very, very preliminary EXPERIMENTAL support for printing of general ASN1 structures. This currently produces rather ugly output and doesn't handle several customised structures at all. [Steve Henson]

*) Integrated support for PVK file format and some related formats such


18/162

as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support these in the 'rsa' and 'dsa' utilities. [Steve Henson]

*) Support for PKCS#1 RSAPublicKey format on rsa utility command line. [Steve Henson]

*) Remove the ancient ASN1_METHOD code. This was only ever used in one place for the (very old) "NETSCAPE" format certificates which are now handled using new ASN1 code equivalents. [Steve Henson]

*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD pointer and make the SSL_METHOD parameter in SSL_CTX_new, SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. [Nils Larsch]

*) Modify CRL distribution points extension code to print out previously unsupported fields. Enhance extension setting code to allow setting of all fields. [Steve Henson]

*) Add print and set support for Issuing Distribution Point CRL extension. [Steve Henson]

*) Change 'Configure' script to enable Camellia by default. [NTT]

Changes between 0.9.8s and 0.9.8t [18 Jan 2012]

*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) [Antonio Martin]

Changes between 0.9.8r and 0.9.8s [4 Jan 2012]

*) Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann and Michael Tuexen for preparing the fix. (CVE-2011-4108)

[Robin Seggelmann, Michael Tuexen]

*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) [Ben Laurie, Kasper ]

*) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)]

*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George


19/162

Kadianakis for discovering this issue and Adam Langley for preparing the fix. (CVE-2011-4619) [Adam Langley (Google)]

*) Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein for fixing it. (CVE-2011-4577) [Rob Austein ]

*) Fix ssl_ciph.c set-up race. [Adam Langley (Google)]

*) Fix spurious failures in ecdsatest.c. [Emilia Ksper (Google)]

*) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). [Adam Langley (Google)]

*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients.

This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING

lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). [Emilia Ksper (Google)]

*) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [Adam Langley (Google)]

*) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller]

*) Add protection against ECDSA timing attacks as mentioned in the paper

by Billy Bob Brumley and Nicola Tuveri, see:http://eprint.iacr.org/2011/232.pdf

[Billy Bob Brumley and Nicola Tuveri]

Changes between 0.9.8q and 0.9.8r [8 Feb 2011]

*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 [Neel Mehta, Adam Langley, Bodo Moeller (Google)]

*) Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is

ambiguous. [Steve Henson]

Changes between 0.9.8p and 0.9.8q [2 Dec 2010]

*) Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. CVE-2010-4180 [Steve Henson]


20/162

*) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]

Changes between 0.9.8o and 0.9.8p [16 Nov 2010]

*) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. CVE-2010-3864 [Steve Henson]

*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson]

*) Don't reencode certificate when calculating signature: cache and use the original encoding instead. This makes signature verification of some broken encodings work correctly. [Steve Henson]

*) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. [Emilia Ksper (Google)]

*) Don't repeatedly append PBE algorithms to table if they already exist. Sort table on each new add. This effectively makes the table read only after all algorithms are added and subsequent calls to PKCS12_pbe_add etc are non-op. [Steve Henson]

Changes between 0.9.8n and 0.9.8o [01 Jun 2010]

[NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after OpenSSL 1.0.0.]

*) Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742)

[Steve Henson, Ronald Moesbergen ] *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. [Steve Henson]

*) VMS fixes:Reduce copying into .apps and .test in makevms.com

Don't try to use blank CA certificate in CA.com Allow use of C files from original directories in maketests.com [Steven M. Schweda" ]

Changes between 0.9.8m and 0.9.8n [24 Mar 2010]

*) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley ]


21/162

*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSLcould be crashed if the relevant tables were not present (e.g. chrooted).

[Tomas Hoger ]

Changes between 0.9.8l and 0.9.8m [25 Feb 2010]

*) Always check bn_wexpend() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta]

*) Fix X509_STORE locking: Every 'objs' access requires a lock (to accommodate for stack sorting, always a write lock!). [Bodo Moeller]

*) On some versions of WIN32 Heap32Next is very slow. This can cause excessive delays in the RAND_poll(): over a minute. As a workaround include a time check in the inner Heap32Next loop too. [Steve Henson]

*) The code that handled flushing of data in SSL/TLS originally used the BIO_CTRL_INFO ctrl to see if any data was pending first. This caused the problem outlined in PR#1949. The fix suggested there however can trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions of Apache). So instead simplify the code to flush unconditionally.

This should be fine since flushing with no data to flush is a no op. [Steve Henson]

*) Handle TLS versions 2.0 and later properly and correctly use the highest version of TLS/SSL supported. Although TLS >= 2.0 is some way off ancient servers have a habit of sticking around for a while... [Steve Henson]

*) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and

has caused some security issues including CVE-2008-1678 and CVE-2009-4355. [Steve Henson]

*) Constify crypto/cast (i.e., ): a CAST_KEY doesn't change when encrypting or decrypting. [Bodo Moeller]

*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect and renegotiate with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson]

*) Add "missing" ssl ctrls to clear options and mode. [Steve Henson]

*) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed


22/162

and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson]

*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. [Steve Henson]

*) Replace the highly broken and deprecated SPKAC certification method with the updated NID creation version. This should correctly handle UTF8. [Steve Henson]

*) Implement RFC5746. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. [Eric Rescorla , Ben Laurie, Steve Henson]

*) Fixes to stateless session resumption handling. Use initial_ctx when issuing and attempting to decrypt tickets in case it has changed during servername handling. Use a non-zero length session ID when attempting

stateless session resumption: this makes it possible to determine if a resumption has occurred immediately after receiving server hello (several places in OpenSSL subtly assume this) instead of later in the handshake. [Steve Henson]

*) The functions ENGINE_ctrl(), OPENSSL_isservice(), CMS_get1_RecipientRequest() and RAND_bytes() can return


23/162

*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and OPENSSL_asc2uni conditionally on Netware platforms to avoid a name clash. [Guenter ]

*) Fix the server certificate chain building code to use X509_verify_cert(), it used to have an ad-hoc builder which was unable to cope with anything other than a simple chain. [David Woodhouse , Steve Henson]

*) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson]

*) In dtls1_process_out_of_seq_message() the check if the current message is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack with sending out of seq handshake messages until there is no memory left. Additionally every future messege was buffered, even if the sequence number made no sense and would be part of another handshake. So only messages with sequence numbers less than 10 in advance will be buffered. (CVE-2009-1378)

[Robin Seggelmann, discovered by Daniel Mentz]*) Records are buffered if they arrive with a future epoch to be

processed after finishing the corresponding handshake. There is currently no limitation to this buffer allowing an attacker to perform a DOS attack with sending records with future epochs until there is no memory left. This patch adds the pqueue_size() function to detemine the size of a buffer and limits the record buffer to 100 entries. (CVE-2009-1377) [Robin Seggelmann, discovered by Daniel Mentz]

*) Keep a copy of frag->msg_header.frag_len so it can be used after the parent structure is freed. (CVE-2009-1379)

[Daniel Mentz]*) Handle non-blocking I/O properly in SSL_shutdown() call.

[Darryl Miles ]

*) Add 2.5.4.* OIDs [Ilya O. ]

Changes between 0.9.8k and 0.9.8l [5 Nov 2009]

*) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting

SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie]

Changes between 0.9.8j and 0.9.8k [25 Mar 2009]

*) Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789)


24/162

[Paolo Ganci ]

*) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) [Ivan Nestlerode ]

*) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) [Steve Henson]

*) Set S/MIME signing as the default purpose rather than setting itunconditionally. This allows applications to override it at the store

level. [Steve Henson]

*) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. [Steve Henson]

*) Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' [Jeremy Shapiro ]

*) New -hex option for openssl rand. [Matthieu Herrb]

*) Print out UTF8String and NumericString when parsing ASN1. [Steve Henson]

*) Support NumericString type for name components. [Steve Henson]

*) Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler.

[Ben Laurie] Changes between 0.9.8i and 0.9.8j [07 Jan 2009]

*) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). [Ben Laurie, Bodo Moeller, Google Security Team]

*) Enable TLS extensions by default. [Ben Laurie]

*) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the

obligation to set up the dynamic locking callbacks.) [Sander Temme ]

*) Use correct exit code if there is an error in dgst command. [Steve Henson; problem pointed out by Roland Dirlewanger]

*) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. [Bodo Moeller]


25/162

*) Add experimental JPAKE support, including demo authentication in s_client and s_server. [Ben Laurie]

*) Set the comparison function in v3_addr_canonize(). [Rob Austein ]

*) Add support for XMPP STARTTLS in s_client. [Philip Paeps ]

*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) [Bodo Moeller]

Changes between 0.9.8h and 0.9.8i [15 Sep 2008]

*) Fix NULL pointer dereference if a DTLS server received ChangeCipherSpec as first record (CVE-2009-1386). [PR #1679]

*) Fix a state transitition in s3_srvr.c and d1_srvr.c

(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). [Nagendra Modadugu]

*) The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking.

So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c.

[Bodo Moeller; problem pointed out by Marius Schilder]

*) Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).

- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.)

- Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range.

- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds.

[Neel Mehta, Bodo Moeller]

*) Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. [Ben Laurie and the FreeBSD team]

*) Add support for Local Machine Keyset attribute in PKCS#12 files. [Steve Henson]


26/162


27/162

32-bit x86 is available through a compile-time setting.

To try the 32-bit x86 assembler implementation, use Configure option "enable-montasm" (which exists only for this backport).

As "enable-montasm" for 32-bit x86 disclaims code stability anyway, in this constellation we activate additional code backported from 0.9.9-dev for further performance improvements, namely BN_from_montgomery_word. (To enable this otherwise, e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)

[Andy Polyakov (backport partially by Bodo Moeller)]

*) Add TLS session ticket callback. This allows an application to set TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed values. This is useful for key rollover for example where several key sets may exist with different names. [Steve Henson]

*) Reverse ENGINE-internal logic for caching default ENGINE handles. This was broken until now in 0.9.8 releases, such that the only way a registered ENGINE could be used (assuming it initialises successfully on the host) was to explicitly set it as the default for the relevant algorithms. This is in contradiction with 0.9.7

behaviour and the documentation. With this fix, when an ENGINE is registered into a given algorithm's table of implementations, the 'uptodate' flag is reset so that auto-discovery will be used next time a new context for that algorithm attempts to select an implementation. [Ian Lister (tweaked by Geoff Thorpe)]

*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 implemention in the following ways:

Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be hard coded.

Lack of BER streaming support means one pass streaming processing is only supported if data is detached: setting the streaming flag is ignored for embedded content.

CMS support is disabled by default and must be explicitly enabled with the enable-cms configuration option. [Steve Henson]

*) Update the GMP engine glue to do direct copies between BIGNUM and mpz_t when openssl and GMP use the same limb size. Otherwise the existing "conversion via a text string export" trick is still used. [Paul Sheer ]

*) Zlib compression BIO. This is a filter BIO which compressed and uncompresses any data passed through it. [Steve Henson]

*) Add AES_wrap_key() and AES_unwrap_key() functions to implement RFC3394 compatible AES key wrapping. [Steve Henson]

*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): sets string data without copying. X509_ALGOR_set0() and


28/162

X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) data. Attribute function X509at_get0_data_by_OBJ(): retrieves data from an X509_ATTRIBUTE structure optionally checking it occurs only once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied data. [Steve Henson]

*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() to get the expected BN_FLG_CONSTTIME behavior. [Bodo Moeller (Google)]

*) Netware support:

- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) - added some more tests to do_tests.pl - fixed RunningProcess usage so that it works with newer LIBC NDKs too - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc - various changes to netware.pl to enable gcc-cross builds on Win32 platform - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) - various changes to fix missing prototype warnings

- fixed x86nasm.pl to create correct asm files for NASM COFF output - added AES, WHIRLPOOL and CPUID assembler code to build files - added missing AES assembler make rules to mk1mf.pl - fixed order of includes in apps/ocsp.c so that e_os.h settings apply [Guenter Knauf ]

*) Implement certificate status request TLS extension defined in RFC3546. A client can set the appropriate parameters and receive the encoded OCSP response via a callback. A server can query the supplied parameters and set the encoded OCSP response in the callback. Add simplified examples to s_client and s_server. [Steve Henson]

Changes between 0.9.8f and 0.9.8g [19 Oct 2007] *) Fix various bugs: + Binary incompatibility of ssl_ctx_st structure + DTLS interoperation with non-compliant servers + Don't call get_session_cb() without proposed session + Fix ia64 assembler code [Andy Polyakov, Steve Henson]

Changes between 0.9.8e and 0.9.8f [11 Oct 2007]

*) DTLS Handshake overhaul. There were longstanding issues with OpenSSL DTLS implementation, which were making it impossible for

RFC 4347 compliant client to communicate with OpenSSL server. Unfortunately just fixing these incompatibilities would "cut off" pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e server keeps tolerating non RFC compliant syntax. The opposite is not true, 0.9.8f client can not communicate with earlier server. This update even addresses CVE-2007-4995. [Andy Polyakov]

*) Changes to avoid need for function casts in OpenSSL: some compilers (gcc 4.2 and later) reject their use.


29/162

[Kurt Roeckx , Peter Hartley , Steve Henson]

*) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported.

If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION.

The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification.

If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set.

Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined.


*) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new members for a host name. The SSL data structure has an additional member SSL_CTX *initial_ctx so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's server_name extension.

New functions (subject to change):

SSL_get_servername() SSL_get_servername_type()

SSL_set_SSL_CTX() New CTRL codes and macros (subject to change):

SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - SSL_CTX_set_tlsext_servername_callback() SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()

openssl s_client has a new '-servername ...' option.

openssl s_server has new options '-servername_host ...', '-cert2 ...',

'-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option.

[Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson]

*) Add AES and SSE2 assembly language support to VC++ build.


30/162

[Steve Henson]

*) Mitigate attack on final subtraction in Montgomery reduction. [Andy Polyakov]

*) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 (which previously caused an internal error). [Bodo Moeller]

*) Squeeze another 10% out of IGE mode when in != out. [Ben Laurie]

*) AES IGE mode speedup. [Dean Gaudet (Google)]

*) Add the Korean symmetric 128-bit cipher SEED (see http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and add SEED ciphersuites from RFC 4162:

TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"

To minimize changes between patchlevels in the OpenSSL 0.9.8 series, SEED remains excluded from compilation unless OpenSSL is configured with 'enable-seed'. [KISA, Bodo Moeller]

*) Mitigate branch prediction attacks, which can be practical if a single processor is shared, allowing a spy process to extract information. For detailed background information, see http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures"). The core of the change are new versions BN_div_no_branch() and BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),

respectively, which are slower, but avoid the security-relevant conditional branches. These are automatically called by BN_div() and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one of the input BIGNUMs. Also, BN_is_bit_set() has been changed to remove a conditional branch.

BN_FLG_CONSTTIME is the new name for the previous BN_FLG_EXP_CONSTTIME flag, since it now affects more than just modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag in the exponent causes BN_mod_exp_mont() to use the alternative implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias.

Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias.

BN_BLINDING_new() will now use BN_dup() for the modulus so that the BN_BLINDING structure gets an independent copy of the modulus. This means that the previous "BIGNUM *m" argument to BN_BLINDING_new() and to BN_BLINDING_create_param() now essentially becomes "const BIGNUM *m", although we can't actually


31/162

change this in the header file before 0.9.9. It allows RSA_setup_blinding() to use BN_with_flags() on the modulus to enable BN_FLG_CONSTTIME.

[Matthew D Wood (Intel Corp)]

*) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, out-of-context reuse was forbidden only if SSL_VERIFY_PEER was set. This did ensure strict client verification, but meant that, with applications using a single external cache for quite different requirements, clients could circumvent ciphersuite restrictions for a given session ID context by starting a session in a different context. [Bodo Moeller]

*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. [Bodo Moeller]

*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was not complete and could lead to a possible single byte overflow

(CVE-2007-5135) [Ben Laurie] Changes between 0.9.8d and 0.9.8e [23 Feb 2007]

*) Since AES128 and AES256 (and similarly Camellia128 and Camellia256) share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't (or if Camellia128 is available and Camellia256 isn't). [Victor Duchovni]

*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):

When a point or a seed is encoded in a BIT STRING, we need to prevent the removal of trailing zero bits to get the proper DER encoding. (By default, crypto/asn1/a_bitstr.c assumes the case of a NamedBitList, for which trailing 0 bits need to be removed.) [Bodo Moeller]

*) Have SSL/TLS server implementation tolerate "mismatched" record protocol version while receiving ClientHello even if the ClientHello is fragmented. (The server can't insist on the particular protocol version it has chosen before the ServerHello message has informed the client about his choice.) [Bodo Moeller]

*) Add RFC 3779 support. [Rob Austein for ARIN, Ben Laurie]

*) Load error codes if they are not already present instead of using a static variable. This allows them to be cleanly unloaded and reloaded. Improve header file function name parsing. [Steve Henson]

*) extend SMTP and IMAP protocol emulation in s_client to use EHLO or CAPABILITY handshake as required by RFCs.


32/162

[Goetz Babin-Ebell]

Changes between 0.9.8c and 0.9.8d [28 Sep 2006]

*) Introduce limits to prevent malicious keys being able to cause a denial of service. (CVE-2006-2940) [Steve Henson, Bodo Moeller]

*) Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson]

*) Fix buffer overflow in SSL_get_shared_ciphers() function.(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

*) Fix SSL client code which could crash if connecting to a malicious SSLv2 server. (CVE-2006-4343) [Tavis Ormandy and Will Drewry, Google Security Team]

*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites match only those. Before that, "AES256-SHA" would be interpreted as a pattern and match "AES128-SHA" too (since AES128-SHA got the same strength classification in 0.9.7h) as we currently only have a single AES bit in the ciphersuite description bitmap. That change, however, also applied to ciphersuite strings such as

"RC4-MD5" that intentionally matched multiple ciphersuites -- namely, SSL 2.0 ciphersuites in addition to the more common ones from SSL 3.0/TLS 1.0.

So we change the selection algorithm again: Naming an explicit ciphersuite selects this one ciphersuite, and any other similar ciphersuite (same bitmap) from *other* protocol versions. Thus, "RC4-MD5" again will properly select both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.

Since SSL 2.0 does not have any ciphersuites for which the 128/256 bit distinction would be relevant, this works for now. The proper fix will be to use different bits for AES128 and

AES256, which would have avoided the problems from the beginning; however, bits are scarce, so we can only do this in a new release (not just a patchlevel) when we can change the SSL_CIPHER definition to split the single 'unsigned long mask' bitmap into multiple values to extend the available space.

[Bodo Moeller]

Changes between 0.9.8b and 0.9.8c [05 Sep 2006]

*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (CVE-2006-4339) [Ben Laurie and Google Security Team]

*) Add AES IGE and biIGE modes. [Ben Laurie]

*) Change the Unix randomness entropy gathering to use poll() when possible instead of select(), since the latter has some undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller]

*) Disable "ECCdraft" ciphersuites more thoroughly. Now special treatment in ssl/ssl_ciph.s makes sure that these ciphersuites


33/162

cannot be implicitly activated as part of, e.g., the "AES" alias. However, please upgrade to OpenSSL 0.9.9[-dev] for non-experimental use of the ECC ciphersuites to get TLS extension support, which is required for curve and point format negotiation to avoid potential handshake problems. [Bodo Moeller]

*) Disable rogue ciphersuites:

- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")

The latter two were purportedly from draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there.

Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired. [Bodo Moeller]

*) Fix RSA blinding Heisenbug (problems sometimes occured on dual-core machines) and other potential thread-safety issues.

[Bodo Moeller] *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key versions), which is now available for royalty-free use (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). Also, add Camellia TLS ciphersuites from RFC 4132.

To minimize changes between patchlevels in the OpenSSL 0.9.8 series, Camellia remains excluded from compilation unless OpenSSL is configured with 'enable-camellia'. [NTT]

*) Disable the padding bug check when compression is in use. The padding

bug check assumes the first packet is of even length, this is not necessarily true if compresssion is enabled and can result in false positives causing handshake failure. The actual bug test is ancient code so it is hoped that implementations will either have fixed it by now or any which still have the bug do not support compression. [Steve Henson]

Changes between 0.9.8a and 0.9.8b [04 May 2006]

*) When applying a cipher rule check to see if string match is an explicit cipher suite and only match that one cipher suite if it is. [Steve Henson]

*) Link in manifests for VC++ if needed. [Austin Ziegler ]

*) Update support for ECC-based TLS ciphersuites according to draft-ietf-tls-ecc-12.txt with proposed changes (but without TLS extensions, which are supported starting with the 0.9.9 branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila]

*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support


34/162

opaque EVP_CIPHER_CTX handling. [Steve Henson]

*) Fixes and enhancements to zlib compression code. We now only use "zlib1.dll" and use the default __cdecl calling convention on Win32 to conform with the standards mentioned here: http://www.zlib.net/DLL_FAQ.txt Static zlib linking now works on Windows and the new --with-zlib-include --with-zlib-lib options to Configure can be used to supply the location of the headers and library. Gracefully handle case where zlib library can't be loaded. [Steve Henson]

*) Several fixes and enhancements to the OID generation code. The old code sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't handle numbers larger than ULONG_MAX, truncated printing and had a non standard OBJ_obj2txt() behaviour. [Steve Henson]

*) Add support for building of engines under engine/ as shared libraries under VC++ build system. [Steve Henson]

*) Corrected the numerous bugs in the Win32 path splitter in DSO.

Hopefully, we will not see any false combination of paths any more. [Richard Levitte]

Changes between 0.9.8 and 0.9.8a [11 Oct 2005]

*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING (part of SSL_OP_ALL). This option used to disable the countermeasure against man-in-the-middle protocol-version rollback in the SSL 2.0 server implementation, which is a bad idea. (CVE-2005-2969)

[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center for Information Security, National Institute of Advanced Industrial

Science and Technology [AIST], Japan)] *) Add two function to clear and return the verify parameter flags. [Steve Henson]

*) Keep cipherlists sorted in the source instead of sorting them at runtime, thus removing the need for a lock. [Nils Larsch]

*) Avoid some small subgroup attacks in Diffie-Hellman. [Nick Mathewson and Ben Laurie]

*) Add functions for well-known primes.

[Nick Mathewson]

*) Extended Windows CE support. [Satoshi Nakamura and Andy Polyakov]

*) Initialize SSL_METHOD structures at compile time instead of during runtime, thus removing the need for a lock. [Steve Henson]

*) Make PKCS7_decrypt() work even if no certificate is supplied by


35/162

attempting to decrypt each encrypted key in turn. Add support to smime utility. [Steve Henson]

Changes between 0.9.7h and 0.9.8 [05 Jul 2005]

[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after OpenSSL 0.9.8.]

*) Add libcrypto.pc and libssl.pc for those who feel they need them. [Richard Levitte]

*) Change CA.sh and CA.pl so they don't bundle the CSR and the private key into the same file any more. [Richard Levitte]

*) Add initial support for Win64, both IA64 and AMD64/x64 flavors. [Andy Polyakov]

*) Add -utf8 command line and config file option to 'ca'. [Stefan


36/162

*) Use SHA-1 instead of MD5 as the default digest algorithm for the apps/openssl applications. [Nils Larsch]

*) Compile clean with "-Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Werror". Currently DEBUG_SAFESTACK must also be set. [Ben Laurie]

*) Change ./Configure so that certain algorithms can be disabled by default. The new counterpiece to "no-xxx" is "enable-xxx".

The patented RC5 and MDC2 algorithms will now be disabled unless "enable-rc5" and "enable-mdc2", respectively, are specified.

(IDEA remains enabled despite being patented. This is because IDEA is frequently required for interoperability, and there is no license fee for non-commercial use. As before, "no-idea" can be used to avoid this algorithm.)

[Bodo Moeller]

*) Add processing of proxy certificates (see RFC 3820). This work was

sponsored by KTH (The Royal Institute of Technology in Stockholm) and EGEE (Enabling Grids for E-science in Europe). [Richard Levitte]

*) RC4 performance overhaul on modern architectures/implementations, such as Intel P4, IA-64 and AMD64. [Andy Polyakov]

*) New utility extract-section.pl. This can be used specify an alternative section number in a pod file instead of having to treat each file as a separate case in Makefile. This can be done by adding two lines to the pod file:

=for comment openssl_section:XXX The blank line is mandatory.

[Steve Henson]

*) New arguments -certform, -keyform and -pass for s_client and s_server to allow alternative format key and certificate files and passphrase sources. [Steve Henson]

*) New structure X509_VERIFY_PARAM which combines current verify parameters, update associated structures and add various utility functions.

Add new policy related verify parameters, include policy checking instandard verify code. Enhance 'smime' application with extra parameters

to support policy checking and print out. [Steve Henson]

*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 Nehemiah processors. These extensions support AES encryption in hardware as well as RNG (though RNG support is currently disabled). [Michal Ludvig , with help from Andy Polyakov]


37/162

*) Deprecate BN_[get|set]_params() functions (they were ignored internally). [Geoff Thorpe]

*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. [Andy Polyakov and a number of other people]

*) Improved PowerPC platform support. Most notably BIGNUM assembler implementation contributed by IBM. [Suresh Chari, Peter Waltenberg, Andy Polyakov]

*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public exponent rather than 'unsigned long'. There is a corresponding change to the new 'rsa_keygen' element of the RSA_METHOD structure. [Jelte Jansen, Geoff Thorpe]

*) Functionality for creating the initial serial number file is now moved from CA.pl to the 'ca' utility with a new option -create_serial.

(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial number file to 1, which is bound to cause problems. To avoid the problems while respecting compatibility between different 0.9.7 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in CA.pl for serial number initialization. With the new release 0.9.8,

we can fix the problem directly in the 'ca' utility.) [Steve Henson]

*) Reduced header interdepencies by declaring more opaque objects in ossl_typ.h. As a consequence, including some headers (eg. engine.h) will give fewer recursive includes, which could break lazy source code - so this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, developers should define this symbol when building and using openssl to ensure they track the recommended behaviour, interfaces, [etc], but backwards-compatible behaviour prevails when this isn't defined. [Geoff Thorpe]

*) New function X509_POLICY_NODE_print() which prints out policy nodes.

[Steve Henson] *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. This will generate a random key of the appropriate length based on the

cipher context. The EVP_CIPHER can provide its own random key generation routine to support keys of a specific form. This is used in the des and

3des routines to generate a key of the correct parity. Update S/MIME code to use new functions and hence generate correct parity DES keys. Add EVP_CHECK_DES_KEY #define to return an error if the key is not

valid (weak or incorrect parity). [Steve Henson]

*) Add a local set of CRLs that can be used by X509_verify_cert() as well

as looking them up. This is useful when the verified structure may contain CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs present unless the new PKCS7_NO_CRL flag is asserted. [Steve Henson]

*) Extend ASN1 oid configuration module. It now additionally accepts the syntax:

shortName = some long name, 1.2.3.4 [Steve Henson]


38/162

*) Reimplemented the BN_CTX implementation. There is now no more static limitation on the number of variables it can handle nor the depth of the "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack information can now expand as required, and rather than having a single static array of bignums, BN_CTX now uses a linked-list of such arrays allowing it to expand on demand whilst maintaining the usefulness of BN_CTX's "bundling". [Geoff Thorpe]

*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD to allow all RSA operations to function using a single BN_CTX. [Geoff Thorpe]

*) Preliminary support for certificate policy evaluation and checking. This is initially intended to pass the tests outlined in "Conformance Testing of Relying Party Client Certificate Path Processing Logic" v1.07. [Steve Henson]

*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and remained unused and not that useful. A variety of other little bignum tweaks and fixes have also been made continuing on from the audit (see below). [Geoff Thorpe]

*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with associated ASN1, EVP and SSL functions and old ASN1 macros. [Richard Levitte]

*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, and this should never fail. So the return value from the use of BN_set_word() (which can fail due to needless expansion) is now deprecated; if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. [Geoff Thorpe]

*) BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new().

[Geoff Thorpe, suggested by Ulf Mller] *) Support for inhibitAnyPolicy certificate extension. [Steve Henson]

*) An audit of the BIGNUM code is underway, for which debugging code is enabled when BN_DEBUG is defined. This makes stricter enforcements on what is considered valid when processing BIGNUMs, and causes execution to assert() when a problem is discovered. If BN_DEBUG_RAND is defined, further steps are taken to deliberately pollute unused data in BIGNUM structures to try and expose faulty code further on. For now, openssl will (in its default mode of operation) continue to tolerate the inconsistent forms that it has tolerated in the past, but authors and packagers should

consider trying openssl and their own applications when compiled with these debugging symbols defined. It will help highlight potential bugs in their own code, and will improve the test coverage for OpenSSL itself. At some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details. [Geoff Thorpe, Nils Larsch, Ulf Mller]

*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly


39/162

initialises it). The presence of this function only made it possible to overwrite an existing structure (and cause memory leaks). [Geoff Thorpe]

*) Because of the callback-based approach for implementing LHASH as a template type, lh_insert() adds opaque objects to hash-tables and lh_doall() or lh_doall_arg() are typically used with a destructor callback to clean up those corresponding objects before destroying the hash table (and losing the object pointers). So some over-zealous constifications in LHASH have been relaxed so that lh_insert() does not take (nor store) the objects as "const" and the lh_doall[_arg] callback wrappers are not prototyped to have "const" restrictions on the object pointers they are given (and so aren't required to cast them away any more). [Geoff Thorpe]

*) The tmdiff.h API was so ugly and minimal that our own timing utility (speed) prefers to use its own implementation. The two implementations haven't been consolidated as yet (volunteers?) but the tmdiff API has had its object type properly exposed (MS_TM) instead of casting to/from "char *". This may still change yet if someone realises MS_TM and "ms_time_***" aren't necessarily the greatest nomenclatures - but this is what was used internally to the implementation so I've used that for now. [Geoff Thorpe]

*) Ensure that deprecated functions do not get compiled when OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of the self-tests were still using deprecated key-generation functions so these have been updated also. [Geoff Thorpe]

*) Reorganise PKCS#7 code to separate the digest location functionality into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). New function PKCS7_set_digest() to set the digest type for PKCS#7 digestedData type. Add additional code to correctly generate the digestedData type and add support for this type in PKCS7 initialization functions. [Steve Henson]

*) New function PKCS7_set0_type_other() this initializes a PKCS7structure of type "other".

[Steve Henson]

*) Fix prime generation loop in crypto/bn/bn_prime.pl by making sure the loop does correctly stop and breaking ("division by zero") modulus operations are not performed. The (pre-generated) prime table crypto/bn/bn_prime.h was already correct, but it could not be re-generated on some platforms because of the "division by zero" situation in the script. [Ralf S. Engelschall]

*) Update support for ECC-based TLS ciphersuites according to draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with SHA-1 now is only used for "small" curves (where the representation of a field element takes up to 24 bytes); for larger curves, the field element resulting from ECDH is directly used as premaster secret. [Douglas Stebila (Sun Microsystems Laboratories)]

*) Add code for kP+lQ timings to crypto/ec/ectest.c,

Documents

Changes openssl